[Vol-users] Howdy

Julian Brown julian at jlbprof.com
Tue Jan 8 12:50:21 CST 2013

Please forgive my noobness.

I am new to Volatility and just viewed a discussion on memory 
acquisition problems and the malware removing itself from the memory 
before it was written to file for later analysis.

Does malware such as Rustock.C leave any traces behind such as portions 
of the program used to "remove" itself from memory but cannot completely 
remove itself?

Of if not, how do the researchers know it was present?  Did they do a 
controlled infection and watch it remove itself by other means?



More information about the Vol-users mailing list